Date
Dec. 9, 2024, 6:35 a.m.
| Environment | |
|---|---|
| qemu-arm64 | |
| qemu-x86_64 |
[ 26.398728] ================================================================== [ 26.400744] BUG: KASAN: use-after-free in mempool_uaf_helper+0x314/0x340 [ 26.401441] Read of size 1 at addr fff00000c6574000 by task kunit_try_catch/217 [ 26.402383] [ 26.402776] CPU: 1 UID: 0 PID: 217 Comm: kunit_try_catch Tainted: G B N 6.13.0-rc2-next-20241209 #1 [ 26.404209] Tainted: [B]=BAD_PAGE, [N]=TEST [ 26.404807] Hardware name: linux,dummy-virt (DT) [ 26.405442] Call trace: [ 26.405989] show_stack+0x20/0x38 (C) [ 26.406646] dump_stack_lvl+0x8c/0xd0 [ 26.407401] print_report+0x118/0x5e0 [ 26.407906] kasan_report+0xc8/0x118 [ 26.408563] __asan_report_load1_noabort+0x20/0x30 [ 26.409228] mempool_uaf_helper+0x314/0x340 [ 26.409929] mempool_kmalloc_large_uaf+0xbc/0x118 [ 26.410674] kunit_try_run_case+0x14c/0x3d0 [ 26.411435] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 26.412120] kthread+0x24c/0x2d0 [ 26.412648] ret_from_fork+0x10/0x20 [ 26.413218] [ 26.413561] The buggy address belongs to the physical page: [ 26.414183] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x106574 [ 26.415229] head: order:2 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 [ 26.416040] flags: 0xbfffe0000000040(head|node=0|zone=2|lastcpupid=0x1ffff) [ 26.416834] raw: 0bfffe0000000040 0000000000000000 dead000000000122 0000000000000000 [ 26.417683] raw: 0000000000000000 0000000000000000 00000001ffffffff 0000000000000000 [ 26.418509] head: 0bfffe0000000040 0000000000000000 dead000000000122 0000000000000000 [ 26.419436] head: 0000000000000000 0000000000000000 00000001ffffffff 0000000000000000 [ 26.420208] head: 0bfffe0000000002 ffffc1ffc3195d01 ffffffffffffffff 0000000000000000 [ 26.420873] head: 0000000000000004 0000000000000000 00000000ffffffff 0000000000000000 [ 26.421561] page dumped because: kasan: bad access detected [ 26.422207] [ 26.422522] Memory state around the buggy address: [ 26.423520] fff00000c6573f00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 26.424294] fff00000c6573f80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 26.425213] >fff00000c6574000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 26.426113] ^ [ 26.426541] fff00000c6574080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 26.427501] fff00000c6574100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 26.428289] ================================================================== [ 26.500632] ================================================================== [ 26.501679] BUG: KASAN: use-after-free in mempool_uaf_helper+0x314/0x340 [ 26.502474] Read of size 1 at addr fff00000c657c000 by task kunit_try_catch/221 [ 26.503160] [ 26.503523] CPU: 1 UID: 0 PID: 221 Comm: kunit_try_catch Tainted: G B N 6.13.0-rc2-next-20241209 #1 [ 26.504674] Tainted: [B]=BAD_PAGE, [N]=TEST [ 26.505254] Hardware name: linux,dummy-virt (DT) [ 26.506275] Call trace: [ 26.506749] show_stack+0x20/0x38 (C) [ 26.507574] dump_stack_lvl+0x8c/0xd0 [ 26.508051] print_report+0x118/0x5e0 [ 26.508598] kasan_report+0xc8/0x118 [ 26.509165] __asan_report_load1_noabort+0x20/0x30 [ 26.509828] mempool_uaf_helper+0x314/0x340 [ 26.510407] mempool_page_alloc_uaf+0xb8/0x118 [ 26.511181] kunit_try_run_case+0x14c/0x3d0 [ 26.511816] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 26.512501] kthread+0x24c/0x2d0 [ 26.513040] ret_from_fork+0x10/0x20 [ 26.513540] [ 26.513899] The buggy address belongs to the physical page: [ 26.514499] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x10657c [ 26.515372] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 26.516168] raw: 0bfffe0000000000 0000000000000000 dead000000000122 0000000000000000 [ 26.517278] raw: 0000000000000000 0000000000000000 00000001ffffffff 0000000000000000 [ 26.518149] page dumped because: kasan: bad access detected [ 26.518868] [ 26.519632] Memory state around the buggy address: [ 26.520148] fff00000c657bf00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 26.521077] fff00000c657bf80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 26.521927] >fff00000c657c000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 26.522675] ^ [ 26.523475] fff00000c657c080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 26.524271] fff00000c657c100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 26.525037] ==================================================================
[ 26.589866] ================================================================== [ 26.591079] BUG: KASAN: use-after-free in mempool_uaf_helper+0x394/0x400 [ 26.591865] Read of size 1 at addr ffff8881023ac000 by task kunit_try_catch/236 [ 26.592645] [ 26.593070] CPU: 1 UID: 0 PID: 236 Comm: kunit_try_catch Tainted: G B N 6.13.0-rc2-next-20241209 #1 [ 26.593923] Tainted: [B]=BAD_PAGE, [N]=TEST [ 26.594426] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 26.595268] Call Trace: [ 26.595507] <TASK> [ 26.595829] dump_stack_lvl+0x73/0xb0 [ 26.596350] print_report+0xd1/0x640 [ 26.597170] ? __virt_addr_valid+0x1db/0x2d0 [ 26.598045] ? kasan_addr_to_slab+0x11/0xa0 [ 26.598634] kasan_report+0x102/0x140 [ 26.599259] ? mempool_uaf_helper+0x394/0x400 [ 26.599730] ? mempool_uaf_helper+0x394/0x400 [ 26.600564] __asan_report_load1_noabort+0x18/0x20 [ 26.601433] mempool_uaf_helper+0x394/0x400 [ 26.602080] ? __pfx_mempool_uaf_helper+0x10/0x10 [ 26.602597] ? finish_task_switch.isra.0+0x153/0x700 [ 26.603692] mempool_kmalloc_large_uaf+0xb3/0x100 [ 26.604423] ? __pfx_mempool_kmalloc_large_uaf+0x10/0x10 [ 26.605304] ? __switch_to+0x5d9/0xf60 [ 26.605580] ? __pfx_mempool_kmalloc+0x10/0x10 [ 26.606483] ? __pfx_mempool_kfree+0x10/0x10 [ 26.607075] ? __pfx_read_tsc+0x10/0x10 [ 26.607649] ? ktime_get_ts64+0x86/0x230 [ 26.608252] kunit_try_run_case+0x1b3/0x490 [ 26.608665] ? __pfx_kunit_try_run_case+0x10/0x10 [ 26.609486] ? _raw_spin_lock_irqsave+0xa2/0x110 [ 26.609882] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 26.610529] ? __kthread_parkme+0x82/0x160 [ 26.611085] ? preempt_count_sub+0x50/0x80 [ 26.611523] ? __pfx_kunit_try_run_case+0x10/0x10 [ 26.612497] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 26.613153] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 26.613699] kthread+0x257/0x310 [ 26.614887] ? __pfx_kthread+0x10/0x10 [ 26.615238] ret_from_fork+0x41/0x80 [ 26.615855] ? __pfx_kthread+0x10/0x10 [ 26.616424] ret_from_fork_asm+0x1a/0x30 [ 26.616917] </TASK> [ 26.617156] [ 26.617406] The buggy address belongs to the physical page: [ 26.618400] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1023ac [ 26.619425] head: order:2 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 [ 26.620197] flags: 0x200000000000040(head|node=0|zone=2) [ 26.620844] raw: 0200000000000040 0000000000000000 dead000000000122 0000000000000000 [ 26.622040] raw: 0000000000000000 0000000000000000 00000001ffffffff 0000000000000000 [ 26.623087] head: 0200000000000040 0000000000000000 dead000000000122 0000000000000000 [ 26.624155] head: 0000000000000000 0000000000000000 00000001ffffffff 0000000000000000 [ 26.625220] head: 0200000000000002 ffffea000408eb01 ffffffffffffffff 0000000000000000 [ 26.626241] head: 0000000000000004 0000000000000000 00000000ffffffff 0000000000000000 [ 26.626969] page dumped because: kasan: bad access detected [ 26.627724] [ 26.628084] Memory state around the buggy address: [ 26.628535] ffff8881023abf00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 26.629517] ffff8881023abf80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 26.630185] >ffff8881023ac000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 26.631068] ^ [ 26.631572] ffff8881023ac080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 26.632332] ffff8881023ac100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 26.633600] ================================================================== [ 26.727088] ================================================================== [ 26.728007] BUG: KASAN: use-after-free in mempool_uaf_helper+0x394/0x400 [ 26.728997] Read of size 1 at addr ffff888102b3c000 by task kunit_try_catch/240 [ 26.730051] [ 26.730634] CPU: 0 UID: 0 PID: 240 Comm: kunit_try_catch Tainted: G B N 6.13.0-rc2-next-20241209 #1 [ 26.732224] Tainted: [B]=BAD_PAGE, [N]=TEST [ 26.732764] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 26.734129] Call Trace: [ 26.734671] <TASK> [ 26.734889] dump_stack_lvl+0x73/0xb0 [ 26.735753] print_report+0xd1/0x640 [ 26.736642] ? __virt_addr_valid+0x1db/0x2d0 [ 26.737062] ? kasan_addr_to_slab+0x11/0xa0 [ 26.737750] kasan_report+0x102/0x140 [ 26.738165] ? mempool_uaf_helper+0x394/0x400 [ 26.739418] ? mempool_uaf_helper+0x394/0x400 [ 26.740126] __asan_report_load1_noabort+0x18/0x20 [ 26.741046] mempool_uaf_helper+0x394/0x400 [ 26.741848] ? __pfx_mempool_uaf_helper+0x10/0x10 [ 26.742579] ? finish_task_switch.isra.0+0x153/0x700 [ 26.743512] mempool_page_alloc_uaf+0xb1/0x100 [ 26.744143] ? __pfx_mempool_page_alloc_uaf+0x10/0x10 [ 26.745126] ? __switch_to+0x5d9/0xf60 [ 26.745804] ? __pfx_mempool_alloc_pages+0x10/0x10 [ 26.746536] ? __pfx_mempool_free_pages+0x10/0x10 [ 26.747318] ? __pfx_read_tsc+0x10/0x10 [ 26.748097] ? ktime_get_ts64+0x86/0x230 [ 26.748765] kunit_try_run_case+0x1b3/0x490 [ 26.749548] ? __pfx_kunit_try_run_case+0x10/0x10 [ 26.750204] ? _raw_spin_lock_irqsave+0xa2/0x110 [ 26.750740] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 26.752036] ? __kthread_parkme+0x82/0x160 [ 26.752881] ? preempt_count_sub+0x50/0x80 [ 26.753240] ? __pfx_kunit_try_run_case+0x10/0x10 [ 26.753898] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 26.754326] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 26.755009] kthread+0x257/0x310 [ 26.755311] ? __pfx_kthread+0x10/0x10 [ 26.755999] ret_from_fork+0x41/0x80 [ 26.756779] ? __pfx_kthread+0x10/0x10 [ 26.757680] ret_from_fork_asm+0x1a/0x30 [ 26.758124] </TASK> [ 26.758887] [ 26.759193] The buggy address belongs to the physical page: [ 26.760141] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x102b3c [ 26.761224] flags: 0x200000000000000(node=0|zone=2) [ 26.762138] raw: 0200000000000000 0000000000000000 dead000000000122 0000000000000000 [ 26.763134] raw: 0000000000000000 0000000000000000 00000001ffffffff 0000000000000000 [ 26.764351] page dumped because: kasan: bad access detected [ 26.765055] [ 26.765321] Memory state around the buggy address: [ 26.766359] ffff888102b3bf00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 26.767435] ffff888102b3bf80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 26.768066] >ffff888102b3c000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 26.769078] ^ [ 26.769342] ffff888102b3c080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 26.770608] ffff888102b3c100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 26.771407] ==================================================================